May 2016

05/19/2016

If it walks like a duck and quacks like a duck, it must be a duck. Apparently, ducks have nothing in common with Windows Service Packs. Microsoft released SP1 for Windows 7 back in 2011 and has only released patches since then, which means you will have to five years of updates after a fresh install of Windows 7 SP1. What a pain.

Microsoft has recently announced something they call the Windows 7 SP1 convenience roll-up. The rollup includes all "security and non-security fixes" since the release of Windows Service Pack 1. This means those five years of updates are all included in a single installation. That sure sounds like a Service Pack to me. No matter what you call it, installations of Windows 7 will be much faster in the future.

In unrelated news, I will be too busy over the next couple of weeks to do any blogging. Look for the posts to resume in the beginning of June.

05/18/2016

Symantec can't be very happy since British white hat hacker, Tavis Ormandy, discovered a huge bug in the core Symantec Antivirus Engine. The flaw is cross-platform and impacts Windows, Mac and *nix operating systems. The bad guys just need to send a carefully formatted file via e-mail or any other method that would force a virus scan of the file. The user doesn't even have to open the file. The bug allows a hacker to gain root access to the target computer. The good news is that Symantec already has a fix, so make sure you run Live Update as soon as possible.

05/17/2016

If you are going to have a walled garden, you get to play king 100% of the time. Spoftpediareports that an app called System and Security Info was pulled from the AppStore. Stefan Esser, the app developer, claims Apple jettisoned the app because of an update. Apparently, the app successfully passed through three reviews by Apple prior to being pulled. The app became very popular since it exposed running processes in iOS 9 and could expose an unknown jailbreak. Apple engineers justified that act stating that the app presented misleading and inaccurate information.

"We noticed that your app provides potentially inaccurate and misleading diagnostic functionality for iOS devices to the user. Currently, there is no publicly available infrastructure to support iOS diagnostic analysis. Therefore your app may report inaccurate information which could mislead or confuse your users. We encourage you to review your app concept and incorporate different content and features that are in compliance with the App Store Review Guidelines."

I read this as saying Apple doesn't want you to know what's going on under the covers. I guess when you're the king you can change the rules at any time and bust out the guillotine.

05/16/2016

The opportunity to take advantage of the free upgrade to Windows 10 ends on July 29, 2016. But what if you are not quite ready to upgrade and don't want to pay for the upgrade at a later time? Not a problem. ZDNetdescribes the process to claim your upgrade and continue to use your current Windows version. You start the process by making sure you backup your current Windows installation. Next you upgrade your system to Windows 10. After the upgrade, you activate the installation. This will generate a Windows 10 license certificate and store it with your installation ID and version that was activated. You then temporarily undo the upgrade and restore your prior version of Windows. This means you can then reactivate your Windows 10 installation any time in the future. For me, I'll probably create a forensic image of my system (because I can) as my backup.

05/12/2016

Windows 10 currently has a feature called Wi-Fi Sense that allows you to share your Wi-Fi password with your contacts. The idea is to make it easy to share your wireless network with family, friends, visitors and others. You do have some controls over Wi-Fi Sense, but I doubt they're actually used. I never thought it was a good feature, especially from a security perspective. Apparently, some other people don't think it's a good idea. Microsoft will be dumping the Wi-Fi Sense feature with a future release. Microsoft decided to drop the feature because it isn't used enough to justify the cost of maintenance.

05/11/2016

Up until now, the biggest microSD card was 200GB. Not anymore. Samsung is now at the top of the heap with the largest capacity microSD card. Beginning in June, you'll be able to purchase Samsung's 256GB microSD card for $249.99. It comes with a 10 year warranty and can store a ton of information such as 12 hours of 4K video or 33 hours of full HD video, in addition to photos and songs. Too bad we can't use one of these monsters to expand the memory of an iPhone.

05/10/2016

It's going to be close, but it looks like Microsoft may actually hit its goal of 1 billion installs within three years of release. You can see the math that justifies this prediction at the post on the SuperSite for Windows. It has already been announced that there are over 300 million devices with Windows 10 installed. The post indicates that, at the most recent rate, Microsoft will just barely meet the prediction of 1 billion installs.

05/09/2016

Let there be no mistake about it. Businesses are moving to the cloud. It is no longer if you will move to the cloud, but how much of your data and applications will be there. Smaller businesses can potentially have better security and data availability when moving to the cloud. No matter what survey you read, it seems that cloud security is always at the top of everyone's list. Not to worry. Dark Reading has listed five questions that every SMB should be asking about cloud services.

What data encryption services are available?

Who is responsible for securing different aspects of the cloud service?

How is the least privileged best practice applied to reducing who has access?

What about penetration testing and certifications?

Does the cloud service provider offer consumption-based pricing?

These questions are a good start, but I would also want to know where my data is being stored (U.S. or other country), who owns the data, is there a fee to get my data back and what happens if law enforcement or the government wants to access my data?

05/05/2016

Security continues to be a major concern for those moving their data and applications to the cloud. Microsoft and Google are alleviating cloud fears by having their systems certified to meet certain standards. For starters, Microsoft's Azure ML service meets certification levels with US HIPAA, ISO 27001, ISO 27018 and the EU Model Clauses. Not to be outdone, Google has 60 products that meet the ISO 27001 standard. Its Google Apps for Work and Google Cloud Platform are also certified for ISO 27017 and ISO 27018.

I fully expect more and more cloud vendors to achieve various certification levels as a way to prove that they are secure and to differentiate themselves from the competition.

05/04/2016

Perhaps the better question is: What is SHA-1? Essentially, SHA-1 is a cryptographic algorithm that is used to generate secure certificates. I previously wrote that browsers would begin to drop accepting SHA-1 as a secure transmission method in early 2016. We now have more news of the deprecation of SHA-1. Microsoft has announced that with the delivery of the Windows 10 Anniversary Update, scheduled for summer 2016 release, both Internet Explorer (IE) and Edge will no longer show the locked icon to indicate a secure website. The two browsers won't actually block websites signed with SHA-1 until February 14, 2017. How fitting that SHA-1 will die for Microsoft browsers on Valentine's Day.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.